Export (0) Print
Expand All

Help secure your computers with Endpoint Protection and Windows Firewall policy for Microsoft Intune

Updated: November 21, 2014

Applies To: Microsoft Intune

Microsoft Intune can help you to secure your managed computers in a number of ways, including:

  • Endpoint Protection – Provides real-time protection against malware threats, keeps malware definitions up-to date, and automatically scans computers. Endpoint Protection also provides tools that help you to manage and monitor malware attacks.

  • Windows Firewall settings – Uses policies that allow you to configure Windows Firewall settings on computers.

  • Software updates – Keeps your computers up to date by ensuring the latest patches and software updates are quickly installed. For details, see Keep your computers up to date with software updates in Microsoft Intune.

If you have not yet installed the Intune client on your computers, see Set up your computers to be managed by Microsoft Intune.

Use the information in the following sections to help you configure, deploy and monitor Endpoint Protection and Windows Firewall Policies.

As an IT admin, one of your top priorities is to keep the computers that you manage free of malware and viruses. Before you deploy Microsoft Intune to client computers in your organization, you should decide how to protect your computers by selecting one of the following options and configuring its associated policy settings:

 

I want to: Endpoint Protection policy settings More information

Use Microsoft Intune Endpoint Protection only if no third-party endpoint protection application is installed

You can use Microsoft Intune Endpoint Protection on all computers where a third-party endpoint protection application is not installed.

  • Install Endpoint Protection = Yes

  • Enable Endpoint Protection = Yes

  • Install Endpoint Protection even if a third-party endpoint protection application is installed = No

If a third-party endpoint protection application is detected, Microsoft Intune Endpoint Protection will not be installed, or will be uninstalled if it has already been installed.

Use Microsoft Intune Endpoint Protection, even if a third-party endpoint protection application is installed

With this approach, you will be running Microsoft Intune Endpoint Protection and the third party endpoint protection application (if it is installed) simultaneously. This is not a recommended configuration because of potential performance issues.

  • Install Endpoint Protection = Yes

  • Enable Endpoint Protection = Yes

  • Install Endpoint Protection even if a third-party endpoint protection application is installed = Yes

Use when:

  • You want to switch to using Microsoft Intune Endpoint Protection.

  • You deploy a new client that will use Microsoft Intune Endpoint Protection

  • You upgrade any client that will use Microsoft Intune Endpoint Protection.

Use Microsoft Intune without Microsoft Intune Endpoint Protection

In this case, you won’t be using Microsoft Intune Endpoint Protection to protect your computers from malware and viruses. Instead, you will rely on a third-party endpoint protection application.

  • Install Endpoint Protection = No

If you are not using a third-party endpoint protection application, this configuration is not recommended, as it could expose your organization’s computers to malware or other attacks.

Microsoft Intune Endpoint Protection is not installed, and it is uninstalled if it was installed previously.

If you want to switch from your current endpoint protection application to Microsoft Intune Endpoint Protection, use the following steps which are explained in more detail later in this topic:

  1. Leave your current endpoint protection application running while you deploy the Intune client software to those computers.

  2. Confirm that Microsoft Intune Endpoint Protection is installed and is helping to secure client computers.

  3. Remove the third-party endpoint protection software by:

    • Using Intune software distribution to deploy a software removal tool that is provided by the manufacturer of the third-party endpoint protection application. For more information, see Manage software with Microsoft Intune.

    • Removing the third-party endpoint protection application manually.

noteNote
Intune will not uninstall third-party endpoint protection applications.

Use the following procedure to help you configure Endpoint Protection for Microsoft Intune.

  1. In the Microsoft Intune administration console, click Policy > Add Policy.

  2. Configure and deploy a Microsoft Intune Agent Settings policy for the Endpoint Protection settings. You can use recommended settings or customize the settings. If you need more information about how to create and deploy policies, see the Manage computers with Microsoft Intune topic.

    The tables after this procedure show the values you can configure in the policy and also the recommended values that will be used if you don’t customize the policy. You can find these settings in the Endpoint Protection section.

You can view the deployed Endpoint Protection policy on the All Policies page of the Policy workspace.

 

Policy setting More information

Install Endpoint Protection

Set to Yes to install Microsoft Intune Endpoint Protection on managed computers. If a third-party endpoint protection application is detected during installation, Microsoft Intune Endpoint Protection will not be installed unless Install Endpoint Protection even if a third party endpoint protection application is installed is set to Yes.

Recommended value: Yes

noteNote
During an upgrade from a previous version of Intune, clients that already have Microsoft Intune Endpoint Protection will not be affected by this policy setting.

Install Endpoint Protection even if a third party endpoint protection application is installed

Set to Yes to install Microsoft Intune Endpoint Protection even if a third-party endpoint protection application is detected.

Recommended value: Yes

Enable Endpoint Protection

Set to Yes to enable Microsoft Intune Endpoint Protection on computers which have the Endpoint Protection client.

If set to No, and Microsoft Intune Endpoint Protection is installed, the Endpoint Protection client user interface is not displayed to users and all protection features are inactive.

Recommended value: Yes

Disable Client UI

Set to Yes to hide the Microsoft Intune Endpoint Protection client user interface from users (requires a client computer restart to take effect).

Recommended value: No

Install Endpoint Protection even if a third party endpoint protection application is installed

Set to Yes to force the installation of Microsoft Intune Endpoint Protection, even if a third-party endpoint protection application is detected.

Recommended value: No

Create a system restore point before malware remediation

Set to Yes to create a Windows System Restore Point before any malware remediation begins.

Recommended value: Yes

Track resolved malware (days)

Lets Endpoint Protection track resolved malware for a specified time so that you can manually check previously infected computers.

You can specify a value from 0 to 30 days.

Recommended value: 7 days

If you have set the policy values for Install Endpoint Protection and Enable Endpoint Protection to Yes, and the policy value for Install Endpoint Protection even if a third party endpoint protection application is installed to No, Microsoft Intune Endpoint Protection will detect that another endpoint protection application is installed and will be not be installed, or uninstalled if it is already present (however, Microsoft Intune Endpoint Protection does report about the health of the other endpoint protection application in the Microsoft Intune administrator console).

 

Policy setting More information

Enable real-time protection

Enables monitoring and scanning of all files and applications that are accessed. It also blocks any malicious files and applications before they can run on computers.

Recommended value: Yes

Scan all downloads

Enables the scanning of all files and attachments that are downloaded from the Internet to computers.

Recommended value: Yes

Monitor file and program activity on computers

Enables the monitoring of incoming files and outgoing files, and program activity on computers. With this setting, Endpoint Protection can monitor when files and programs start to run and alert you about any actions they perform or actions that are taken on them.

Recommended value: Yes

Files monitored

If Monitor file and program activity on computers is enabled, this setting allows you to choose if only incoming, only outgoing, or all files are monitored.

Recommended value: Monitor all files

Enable behavior monitoring

Allows Microsoft Intune Endpoint Protection to check for certain patterns of suspicious activity on client computers.

Recommended value: Yes

Enable Network Inspection System

Enables Network Inspection System (NIS) on client computers. NIS uses signatures of known vulnerabilities from the Microsoft Malware Protection Center to help detect and block malicious network traffic.

Recommended value: Yes

 

Policy setting More information

Schedule a daily quick scan

Schedules a daily quick scan of both frequently used files and important system files on computers. This quick scan has a minimal effect on performance.

Recommended value: Yes

Run a quick scan if you have missed two consecutive scans

Configures Endpoint Protection to automatically run a quick scan on computers if they miss two consecutive, scheduled quick scans.

Recommended value: Yes

Schedule a full scan

Configures a full scan of all files and resources on the local hard disks of computers. This scan can take some time and can affect computer performance (depending on the number of files and resources scanned).

Recommended value: No

Run a full scan if you have missed two consecutive full scans

Configures Endpoint Protection to automatically run a full scan on computers if they miss two consecutive, scheduled full scans.

Recommend value: Not configured

 

Policy setting More information

Run a full scan after installation of Endpoint Protection

Configures Endpoint Protection to automatically run a full system scan after it is installed on computers. This scan runs only when computers are idle to minimize the effect on user productivity.

Recommended value: Yes

Automatically run a full scan when needed to follow up malware removal

Set to Yes to let Endpoint Protection automatically run a full system scan on computers after the removal of malware to help confirm that other files were not affected.

Recommended value: Yes

Start a scheduled scan only when the computer is idle

Set to Yes to prevent scheduled scans from starting when computers are in use to prevent any loss of user productivity.

Recommended value: Yes

Check for the latest malware definitions before starting a scan

Set to Yes to let Endpoint Protection automatically check for the latest malware definitions before it starts a scan on computers.

Recommended value: Yes

Scan archive files

Set to Yes to configure Endpoint Protection to scan for malware in archive files (like .zip or .cab files) on computers.

Recommended value: No

Scan email messages

Set to Yes to configure Endpoint Protection to scan incoming email messages when they arrive on computers.

Recommended value: Yes

Scan files opened from network shared folders

Set to Yes to configure Endpoint Protection to scan files that are opened from shared folders on the network. These are typically files that are accessed by using a UNC path. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No

Scan mapped network drives

Set to Yes to configure Endpoint Protection to scan files on mapped network drives. Enabling this feature can cause problems for users who have read-only access because they cannot remove malware.

Recommended value: No

Scan removable drives

Set to Yes to configure Endpoint Protection to scan for malware and unwanted software in the contents of removable drives, like USB flash drives, when you run a full scan on computers.

Recommended value: Yes

Limit CPU usage during a scan

Configures the maximum percentage of CPU usage that can be used during scheduled scans on computers. You can set this value from 1 to 100 percent.

Recommended value: 50%

 

Policy setting More information

Choose how Endpoint Protection acts on malware of the following alert levels

Specifies the default action that Endpoint Protection takes when malware of various alert levels is detected.

For each alert level, you can remove the malware, quarantine it, or take Microsoft’s recommended action.

Recommended value: Recommended action

 

Policy setting More information

Files and folders to exclude when running a scan or using real-time protection

Excludes specific files or folders when a scan is run or when real-time protection is used on computers.

 

Policy setting More information

Processes to exclude when running a scan or using real-time protection

Lets you exclude specific processes when a scan is run or from real-time protection. You can exclude only files with the following extensions: .exe, .com or .scr.

 

Policy setting More information

File extensions to exclude when running a scan or using real-time protection

Lets you exclude specific file name extensions when a scan is run or when real-time protection is used on computers.

Microsoft Active Protection Service is an online community that helps you decide how to respond to potential threats. The community also helps stop the spread of new malware infections.

 

Policy setting More information

Join Microsoft Active Protection Service

Yes automatically sends information about detected malware to the Microsoft Active Protection Service. Microsoft does not use any information collected to identify you or to contact you.

Recommended value: Yes

Membership level

If you selected to join the Microsoft Active Protection Service, this setting lets you choose from one of the following membership levels:

  • Basic - Sends basic information to Microsoft about detected malware. This includes where the software came from, the actions that you apply or that Endpoint Protection applies automatically, and whether the actions were successful.

  • Advanced - Sends more information to Microsoft about malware, spyware, and potentially unwanted software. This includes the location of the software, file names, how the software operates, and how it has affected your computer.

Recommended value: Advanced

Receive dynamic definitions based on Microsoft Active Protection Service reports

Yes lets computers receive dynamic malware definitions based on information that Endpoint Protection sends to the Microsoft Active Protection Service (if you have joined it) about detected malware.

Recommended value: Yes

The following tasks help you to carry out various management tasks on managed computers that run Endpoint Protection.

 

I want to From the Microsoft Intune console From the managed computer

Update malware definitions

From the Groups workspace, select the computers you want to update.

Click Remote Tasks > Update Malware Definitions.

Start the Endpoint Protection client software from the Windows notification area.

Click the Update tab, and then click Update.

Run a malware scan

From the Groups workspace, select the computers you want to scan.

Click Run a Full Malware Scan or Run a Quick Malware Scan.

Start the Endpoint Protection client software from the Windows notification area.

Select Quick, Full, or Custom, and then click Scan now.

You can view the status of a remote task by clicking the Remote Tasks link in the bottom right corner of the Microsoft Intune administrator console.

The Remote Task Status dialog box lists current remote tasks, task status, device name, any reported errors, and provides a link to troubleshooting information, if appropriate.

You monitor the status of malware on your computers by using the Protection workspace of the Microsoft Intune administration console. This workspace contains two pages:

 

Page name More information

Endpoint Protection Overview

Displays important issues as links that you can click for more information. Issues that might be displayed include:

  • Malware instances that need follow-up – Click the link to see a list of malware issues including the follow up action that needs to be taken to resolve the issue. You can further drill into this list to see which computers are affected.

  • Computers with malware that need follow-up – Click the link to see all computers with unresolved malware issues including the follow up action that needs to be taken to resolve the issue.

  • Devices that are not protected – Click the link to see computers that are not protected by any endpoint protection software, either because no software is installed, or because there is an error. Select a computer to view more details.

  • Devices with another endpoint protection application running – Click the link to see computers that are running a third-party endpoint protection application.

All Malware

Displays a list of all active malware found on your computers. You can drill into this list to see all computers that are affected by a particular piece of malware, or you can select one of the following tasks:

  • View Properties – Opens a page with more information about the selected malware.

  • Learn About This Malware – Opens a topic from the Microsoft Malware Protection Center with more information about the malware.

ImportantImportant
The Protection workspace is not displayed in the administrator console until you have installed the client on, and are successfully managing at least one computer client.

The Windows Firewall policy lets you create and deploy settings that control the Windows Firewall on managed computers. You cannot manage custom exceptions for Windows Firewall and these settings do not affect third-party firewalls.

noteNote
If Microsoft Intune policy and Group Policy are configured to manage the same setting on the computer, the Group Policy setting overrides the Microsoft Intune policy. For information about how to avoid conflicts between Microsoft Intune policies and Group Policy, see Prepare to manage computers with Microsoft Intune.

If you want to deploy Windows Firewall settings to computers running Windows Vista, you must first install Hotfix KB971800 on these computers.

ImportantImportant
To manage the Windows Firewall using Intune, you must ensure that the following two services are enabled on the computers you will manage:

  • Windows Firewall

  • IPsec Policy Agent

  1. In the Microsoft Intune administration console, click Policy > Add Policy.

  2. Configure and deploy a Windows Firewall Settings policy. You can use recommended settings or customize the settings. If you need more information about how to create and deploy policies, see the Manage computers with Microsoft Intune topic.

    The tables after this procedure show the values you can configure in the policy and also the recommended values that will be used if you don’t customize the policy.

You can view the deployed Windows Firewall policy on the All Policies page of the Policy workspace.

 

Policy setting More information

Domain profile

Enables the Windows Firewall on managed computers while they are connected to domain networks, for example while at the workplace.

Recommended value: Yes

Private profile

Enables the Windows Firewall on managed computers while they are connected to trusted networks, for example while on a home network.

Recommended value: Yes

Public profile

Enables the Windows Firewall on managed computers while they are connected to untrusted networks in public places, for example while at a coffee shop.

Recommended value: Yes

Required operating system: Windows Vista® or later versions

ImportantImportant
If your environment includes managed computers that are running Windows Vista with no service packs installed, you must either install the update associated with article 971800 in the Microsoft Knowledge Base or else disable the Block all incoming connections policy settings in policies deployed to those computers.

 

Policy setting More information

Domain profile

Blocks all incoming connections while the computers are connected to domain networks, such as at a workplace. This includes those connections in the list of exceptions.

Recommended value: No

Private profile

Blocks all incoming connections while the computers are connected to trusted networks, such as a home network. This includes those connections in the list of exceptions.

Recommended value: No

Public profile

Blocks all incoming connections while the computers are connected to untrusted networks at public places, such as at a coffee shop. This includes those connections in the list of exceptions.

Recommended value: No

Required operating system: Windows Vista or later versions

 

Policy setting More information

Domain profile

Notifies users when Windows Firewall blocks a new program while the computers are connected to domain networks, such as at a workplace.

Recommended value: Yes

Private profile

Notifies users when Windows Firewall blocks a new program while the computers are connected to trusted networks, such as a home network.

Recommended value: Yes

Public profile

Notifies users when Windows Firewall blocks a new program while the computers are connected to untrusted networks at public places, such as a coffee shop.

Recommended value: Yes

Required operating system: Windows Vista or later versions

 

Policy setting More information

BranchCache - Content Retrieval

If enabled, lets BranchCache clients use HTTP to retrieve content from one another in the distributed mode and from the hosted cache in hosted cache mode. This setting uses HTTP.

Recommended value: Not configured

(Windows® 7 or later).

BranchCache - Hosted Cache Client

If enabled, lets BranchCache clients use a hosted cache. This setting uses HTTPS.

Recommended value: Not configured

(Windows 7 or later).

BranchCache - Hosted Cache Server

If enabled, lets BranchCache clients can use a hosted cache to communicate with other clients. This setting uses HTTPS.

Recommend value: Not configured

(Windows 7 or later).

BranchCache - Peer Discovery

If enabled, lets BranchCache clients use the WS Discovery protocol to look up content availability on the local subnet.

Recommended value: Not configured

(Windows 7 or later).

BITS Peercaching

If enabled, lets clients use Background Intelligent Transfer Service (BITS) to find and share files that are stored in the BITS cache on clients in the same subnet. This setting uses WSDAPI and RPC.

Recommended value: Not configured

(Windows Vista or later).

Connect to a Network Projector

If enabled, lets users connect to projectors over wired or wireless networks to project presentations. This setting uses WSDAPI.

Recommended value: Not configured

(Windows Vista or later).

Core Networking

If enabled, lets clients use IPv4 and IPv6 to connect to network resources.

Recommended value: Not configured

(Windows Vista or later).

Distributed Transaction Coordinator

If enabled, allows managed computers to coordinate transactions that update transaction-protected resources, like databases, message queues, and file systems.

Recommended value: Not configured

(Windows Vista or later).

File and Printer Sharing

If enabled, allows users to share local files and printers with other users on the network. This setting uses NetBIOS, LLMNR, SMB, and RPC.

Recommended value: Not configured

(Windows XP or later).

HomeGroup

If enabled, allow managed computers to participate in a HomeGroup network.

Recommended value: Not configured

(Windows 7 or later).

iSCSI Service

If enabled, allows managed computers to connect to iSCSI servers and devices.

Recommended value: Not configured

(Windows Vista or later).

Key Management Service

If enabled, lets computers be counted for license compliance in enterprise environments.

Recommended value: Not configured

(Windows Vista or later).

Media Center Extenders

If enabled, allows Media Center Extenders to communicate with computers that are running Windows Media Center. This setting uses SSDP and qWave.

Recommended value: Not configured

(Windows Vista or later).

Netlogon Service

If enabled, configures a security channel between domain clients and a domain controller for authenticating users and services. This setting uses RPC.

Recommended value: Not configured

(Windows Vista or later).

Network Discovery

If enabled, lets computers discover other devices and be discovered by other devices on the network. This setting uses Function Discovery Host and Publication Services and SSDP, NetBIOS, LLMNR, and UPnP network protocols.

Recommended value: Not configured

(Windows Vista or later).

Performance Logs and Alerts

If enabled, allows the Performance Logs and Alerts service to be remotely managed. This setting uses RPC.

Recommended value: Not configured

(Windows Vista or later).

Remote Administration

If enabled, allows remote administration of the computer.

Recommended value: Not configured

(Windows Vista or later).

Remote Assistance

If enabled, lets users of managed computers request remote assistance from other users on the network. This setting uses SSDP, PNRP, Teredo, and UPnP network protocols.

Recommended value: Not configured

(Windows XP or later).

Remote Desktop

If enabled, lets the computer use Remote Desktop to access other computers.

Recommended value: Not configured

(Windows XP or later).

Remote Event Log Management

If enabled, let’s client event logs be viewed and managed remotely. This setting uses Named Pipes and RPC.

Recommended value: Not configured

(Windows Vista or later).

Remote Scheduled Tasks Management

If enabled, allows remote management of the task scheduling service. This setting uses RPC.

Recommended value: Not configured

(Windows Vista or later).

Remote Service Management

If enabled, allows remote management of local services on clients. This setting uses Named Pipes and RPC.

Recommended value: Not configured

(Windows Vista or later).

Remote Volume Management

If enabled, allows remote software and hardware disk volume management. This setting uses RPC.

Recommended value: Not configured

(Windows Vista or later).

Routing and Remote Access

If enabled, allows incoming VPN and remote access connections to computers.

Recommended value: Not configured

(Windows Vista or later).

Secure Socket Tunneling Protocol

If enabled, allows incoming VPN connections to managed computers by using Secure Socket Tunneling Protocol (SSTP). This setting uses HTTPS.

Recommended value: Not configured

(Windows Vista or later).

SNMP Trap

If enabled, lets managed computers receive SNMP Trap service traffic.

Recommended value: Not configured

(Windows Vista or later).

UPnP Framework

If enabled, configures the UPnP Framework service on computers to let them discover and use UPnP certified devices.

Recommended value: Not configured

(Windows XP or later).

Windows Collaboration Computer Name Registration Service

If enabled, lets computers find and communicate with other computers by using the Peer Name Resolution Protocol. This setting uses SSDP and PNRP.

Recommended value: Not configured

(Windows Vista or later).

Windows Media Player

If enabled, lets users receive streaming media over UDP.

Recommended value: Not configured

(Windows Vista or later).

Windows Media Player Network Sharing Service

If enabled, lets users share media over a network. This setting uses the SSDP, qWave, and UPnP network protocols.

Recommended value: Not configured

(Windows Vista or later).

Windows Media Player Network Sharing Service (Internet)

If enabled, lets users share home media over the Internet.

Recommended value: Not configured

(Windows 7 or later).

Windows Meeting Space

If enabled, lets users collaborate over a network to share documents, programs, or their desktop. This setting uses DFSR and P2P.

Recommended value: Not configured

(Windows Vista or later).

Windows Peer to Peer Collaboration Foundation

If enabled, configures various peer-to-peer programs and technologies to allow them to connect. This setting uses SSDP and PNRP.

Recommended value: Not configured

(Windows Vista or later).

Windows Remote Management (Compatibility)

If enabled, allows remote management of managed computers by using WS-Management, a Web services-based protocol for remote management of operating systems and devices.

Recommended value: Not configured

(Windows Vista or later).

Windows Remote Management

If enabled, allows remote management of managed computers by using WS-Management, a Web services-based protocol for remote management of operating systems and devices.

Recommended value: Not configured

(Windows 8 or later)

Windows Virtual PC

If enabled, lets virtual machines, communicate with other computers.

Recommended value: Not configured

(Windows 7 only)

Wireless Portable Devices

If enabled, allows the transfer of media from a network-enabled camera or media device to managed computers by using the Media Transfer Protocol (MTP). This setting uses SSDP and UPnP network protocols.

Recommended value: Not configured

(Windows Vista or later).

 
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft